Thursday, January 17, 2013

Backtrack Forensics: samdump & samdump2

Menu: Forensics -> Password Forensic Tools
Directory: /pentest/forensics/samdump/

samdump produces a smbpasswd file from a copy of the NT registry. It supports SYSKEY, LanMan, and the NT-password schemes. It needs an offline copy of the SAM file (and probably the system registry as well, cause it contains the encryption key for the sam file) from Windows, which can be found here:

C:\Windows\system32\config\sam
C:\Windows\system32\config\system

I tried with the SAM file from multiple Windows versions, without luck. I got the following error, and then it stops:

"\SystemRoot\System32\Config\SAMPage at 0x7000 is not 'hbin', assuming file contains garbage at end"

The command to run is fairly simple:

./samdump hives

I also tried samdump2, which does the same and it is located at "/usr/bin/samdump2", and it worked just fine. It requires two arguments the SAM and system registry:

samdump2 /root/forensics/SAM /root/forensics/system

Update 10/29/2013:

samdump2 requires the boot key instead of the SYSTEM registry, which can be extracted with bkhive:

bkhive SYSTEM bootkey

samdump2 SAM bootkey

Official website for samdump: http://gpl.internetconnection.net/
Official website for samdump2: http://sourceforge.net/projects/ophcrack/files/samdump2/

No comments: